A Thing
The Green SheetGreen Sheet

Friday, January 17, 2014

Target breach reveals software security flaws

More details about the Target Corp. breach are starting to emerge. On Jan. 10, 2013, Target projected the number of cardholder accounts compromised in the December 2013 breach was closer to 70 million than the previous estimate of 40 million, while other reports have put the number at well over 100 million.

Additionally, news outlets reported on Jan. 16 that the malicious software injected into Target's network to steal cardholder data was written in Russian. But what is not getting as much media attention is that the problem of data security goes beyond the well-documented deficiencies of mag stripe payment card technology.

According to connected smart card firm Tyfone Inc., the fatal flaw of the global security infrastructure is that it is software-based. Tyfone said cardholder data, not to mention all other kinds of enterprise data, is stored in the cloud, and that data is accessed via public networks fraudsters can easily penetrate.

"We have put all of our assets in the cloud," said Dr. Siva Narendra, co-founder and Chief Executive Officer at Tyfone. "All of our eggs are in one basket − trillions and trillions of dollars in the basket. What do we do to protect it?" The answer too often is that protection is an easily hackable login name and password.

And even if software security is strengthened, Don Bloodworth, Chief Financial Officer at Tyfone, believes it is still not enough. "Software is easier to deploy and scale," he said. "But this is one area where it is very difficult to support the fact that software can solve this problem. It really can't."

Tyfone said the solution is to transfer security from software in the cloud to hardware controlled by each individual cardholder. Tyfone supports the migration of the mag stripe-based U.S. payments ecosystem to the EuroPay/MasterCard/Visa (EMV) smart card solution, where cardholder data is stored in a secure chip embedded into plastic cards.

Thus, instead of hackers remotely hacking into a database stored in the cloud to steal information from millions of accounts, they would have to hack into millions of individual EMV cards physically held by the cardholders to steal that same amount of data.

Threat landscape in the crosshairs

Target confirmed that the hack was the result of malware loaded onto Target's POS terminals. But Bloodworth added that the only way that malware was installed was by hackers gaining access to Target's network.

A webinar held Jan. 15 and hosted by the law firm of Baker & Hostetler LLP detailed the types of malware attacks prevalent today. In Managing Cardholder Data Security Risks in an Evolving Payments Landscape, Marshall Heilman, Principal Consultant at Mandiant Corp., outlined several variants of ram scraper attacks − "memory scraping malware" that can be injected directly into the software of POS terminals or, more popularly, into retailers' back-office servers connected to those terminals.

"It's smarter for the attacker to install the malware on the point of sale server," Heilman said. "That way he can harvest all cards processed at that single store rather than having to do each register individually."

Another popular attack vector is called backdoor variant No. 2. Heilman said it is malware disguised as a common server application, such as the Apache Benchmark utility, that runs surreptitiously in the background and steals data.

A simpler attack, called backdoor variant No. 3, involves a fraudster who gains access to a so-called secure environment where sensitive data is stored, such as transaction data, via a retailer's virtual private network. Hackers obtain system administrator credentials (login name and password) to pose as legitimate users logging into systems remotely, Heilman said.

Problems with PCI?

Heilman believes the best way to ensure network integrity is through proper segmentation of the network as described by the Payment Card Industry (PCI) Data Security Standard (DSS). In this scenario, sensitive data is essentially walled off from the rest of the corporate network.

However, Narendra countered that security experts are still too focused on software. "Unfortunately, what has happened in the security industry is, not all companies but some set of companies, if you look at the predominance, they all migrated from hardware expertise in the last decade," he said. "Often when you have conversations with the so-called security expert, most of them don't even understand what a smart card is."

Additionally, Narendra views the entire PCI DSS framework as inefficient because it fails to address hardware as ultimately the best security solution. "PCI is grossly insufficient," he said. "It was valuable in the past and now it is nothing but a patchwork. It does not mandate hardware. It is high time it did. Without that, it will become irrelevant."

Narendra's opinion is seconded by Gary Olson, President and CEO of ESSA Bank in Stroudsburg, Penn. In a Jan. 14, 2014, American Banker article, Olson remarked on the weakness of the card payment system and was quoted as saying that the PCI standard is "not effective at all." end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing